Mutual TLS (mTLS)
What is Mutual TLS (mTLS)?
Mutual TLS (mTLS)An extension of TLS in which both the client and the server present X.509 certificates so that each side cryptographically authenticates the other.
Mutual TLS is a variant of the TLS handshake where the server requests a client certificate in addition to presenting its own. After validating the certificate chain and verifying possession of the private key, both endpoints establish an encrypted, mutually authenticated session. It is widely used for machine-to-machine and service-to-service communication in zero-trust architectures, API gateways, service meshes, and VPN replacements. Defences and hygiene include short-lived certificates issued by a private CA, automated rotation, OCSP or CRL checking, and strict identity matching to deny tokens or bearer credentials when the client certificate does not match.
● Examples
- 01
A Kubernetes service mesh that issues SPIFFE identities so every pod-to-pod call uses mTLS.
- 02
An API gateway that requires partner systems to present a client certificate signed by an internal CA.
● Frequently asked questions
What is Mutual TLS (mTLS)?
An extension of TLS in which both the client and the server present X.509 certificates so that each side cryptographically authenticates the other. It belongs to the Network Security category of cybersecurity.
What does Mutual TLS (mTLS) mean?
An extension of TLS in which both the client and the server present X.509 certificates so that each side cryptographically authenticates the other.
How do you defend against Mutual TLS (mTLS)?
Defences for Mutual TLS (mTLS) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mutual TLS (mTLS)?
Common alternative names include: Two-way TLS, Client-authenticated TLS.